Host Firewall for macOS

Control communications on your endpoints based on the network location of your device by using the Cortex® XDR™ host firewall.
The Cortex XDR host firewall enables you to control communications on your endpoints. To use the host firewall, you set rules that allow or block the traffic on the devices and apply them to your endpoints using Cortex XDR host firewall policy rules. Additionally, you can configure different sets of rules based on the current location of your endpoints - within or outside your organization network. The Cortex XDR host firewall rules leverage the operating system firewall APIs and enforce these rules on your endpoints, but not your Windows or Mac firewall settings.
In Cortex XDR 3.0, no change was made to the Host Firewall Configuration or operation on macOS endpoints. All existing policies configured in Cortex XDR 2.9 still apply and will continue to work as expected with Cortex XDR agent 7.2 or a later release. Enforcement events triggered by macOS endpoints are not included in the Host Firewall Events table.
To configure the Cortex XDR host firewall in your network, follow this high-level workflow:

Enable Network Location Configuration

If you want to apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile. On every heartbeat, and if the Cortex XDR agent detects a network change on the endpoint, the agent triggers the device location test and re-calculates the policy according to the new location.

Add a New Host Firewall Profile

Configure host firewall profiles that contain one or more rules groups. The groups are enforced according to their order of appearance within the profile, from top to bottom (and within each group, the rules are also enforced from top to bottom). You can also configure profiles based on the device location within your internal network. When you edit, re-prioritize, disable, or delete a rules group from a profile, the change takes effect on the next heartbeat in all policies where this profile is included.
Rules created on macOS 10 and Cortex XDR agent 7.5 and prior are managed only in the Legacy Host Firewall Rules and do not appear in the Rule Groups tables.
  1. Log in to Cortex XDR.
    Go to
    Endpoints
    Policy Management
    Extensions Profiles
    Profiles
    and select
    + New Profile
    . Select the
    Platform
    and click
    Host Firewall
    Next
  2. Fill-in the
    General Information
    for the new profile.
    Assign a
    Profile Name
    and optional description to the profile.
  3. Define your
    Report Settings
    .
    When the profile operates in report mode, Cortex XDR overrides all rules set to
    Block
    traffic. Instead, the traffic is allowed to go through, and the enforcement event is reported as
    Override Block
    . You can configure a profile in report mode if you need for example to test new block rules before you actually apply them.
  4. Configure Internal and External Rule Groups.
    To apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile. When enabled, Cortex XDR enforces the host firewall rules based on the current location of the device within the internal organization network (
    Internal Rules
    ), enabling you for example to enforce more strict rules when the device is outside the office and in a public place (
    External Rules
    ). If you disable the Location Based option, your policy will apply the internal set of rules only, and that will be applied to the device regardless of its location.
    Create a New Rule or add a rules group to the
    Internal/External Groups
    :
    1. Click
      +Add Group
      .
    2. Select one or more groups, and click
      Add
      .
      To quickly apply the exact same rules in both cases, select
      Add as external/internal
      rules groups as well.
    3. Review the rule group field details.
      The groups are listed according to the order of enforcement from top to bottom. To change this order, click on the group priority number and drag the group to the desired row.
      Field
      Description
      Applicable Rules Count
      Displays the number of rules in the specific group that are associated with the platform profile.
      Created by
      Displays the email address of the user that created the rule.
      Creation Time
      Date and time of when the rule was created.
      Description
      Description of the rule, if available.
      Group ID
      Unique rules group ID.
      Group Name
      Name of the group rules group.
      Mode
      Displays whether the rules group is enabled or not.
      Modified by
      Displays the email address of the last user that made changes to the group.
      Modification Time
      Date and time of when the group was modified.
    4. (
      Optional
      ) Select
      View Rules
      to view a list of all the rule details within the rules group. The table is filtered according to the rules associated with the platform profile you are creating.
      Any
      type protocol and specific ports cannot be edited. If saved as a new rule, the specific ports previously defined are removed from the cloned rule.
    5. Allow
      or
      Block
      the
      Default Action for Inbound/Outbound Traffic
      in the profile if you want to allow all network connections that have not been matched to any other rule in the profile.
  5. (
    Optional
    ) Manage Legacy Host Firewall Rules.
    Mange Host Firewall Rules created on macOS 10 and Cortex XDR agent 7.5 and prior.
    1. Enable
      Manage Host Firewall
      to allow Cortex XDR to manage the host firewall on your Mac endpoints.
    2. Configure the host firewall
      Internal
      and
      External
      settings.
      The host firewall settings allow or block inbound communication on your Mac endpoints.
      Enable
      or
      Disable
      the following actions:
      • Stealth Mode
        —Hide your mac endpoint from all TCP and UDP networks by enabling the Apple Stealth mode on your endpoint.
      • Block All Incoming Connections
        —Select where to block all incoming communications on the endpoint or not.
      • Application Exclusions
        —Allow or block specific programs running on the endpoint using a
        Bundle ID
        .
      If the profile is location based, you can define both internal and external settings.
  6. Save your profile.
    When you’re done,
    Create
    your host firewall profile.

Apply Host Firewall Profiles to Your Endpoints

After you defined the required host firewall profiles, you must configure the Protection Policies and enforce them on your endpoints. Cortex XDR applies Protection policies on endpoints from top to bottom, as you’ve ordered them on the page. The first policy that matches the endpoint is applied. If no policies match, the default policy that enables all communication to and form the endpoint is applied.
  1. Log in to Cortex XDR.
    Go to
    Endpoints
    Policy Management
    Extensions Policy Rules
    +New Policy
    .
  2. Configure settings for the host firewall policy.
    1. Assign policy name, optional description, and operating system.
    2. Assign the host firewall profile you want to use in this rule.
    3. Click
      Next
      .
    4. Select the target endpoints on which to enforce the policy.
      Use filters or manual endpoint selection to define the exact target endpoints of the policy rules.
    5. Click
      Done
      .
    Alternatively, you can associate the host firewall profile to an existing policy. Right-click the policy and select
    Edit
    . Select the
    Host Firewall
    profile and click
    Next
    . If needed, you can edit other settings in the rule (such as target endpoints, description, etc.) When you’re done, click
    Done
  3. Configure policy hierarchy.
    Drag and drop the policies in the desired order of execution.
  4. Save
    the policy hierarchy.
    After the policy is saved and applied to the agents, Cortex XDR enforces the host firewall policies on your environment.

Monitor the Host Firewall Activity on your Endpoint

To view only the communication events on the endpoint to which the Cortex XDR host firewall rules were applied, you can run the
Cytool firewall show
command.
Additionally, to monitor the communication on your macOS endpoint, you can use the following operating system utilities: From the endpoint
System Preferences
Security and Privacy
Firewall
Firewall options
, you can view the list of blocked and allowed applications in the firewall. The Cortex XDR host firewall blocks only incoming communications on Mac endpoints, still allowing outbound communication initiated from the endpoint.

Recommended For You